feat: adopt GoReleaser with Ko integration for releases

Replace raw ko/crane/cosign CLI orchestration with GoReleaser v2,
which handles binary builds, container images (via kos:), checksums,
SBOMs, changelog, and GitHub releases in a single declarative config.

Author: mchmarny

.github/actions/load-versions/action.yml

@@ -29,6 +29,9 @@ outputs:
   cosign:
     description: 'Cosign version'
     value: ${{ steps.versions.outputs.cosign }}
+  goreleaser:
+    description: 'GoReleaser version'
+    value: ${{ steps.versions.outputs.goreleaser }}
 
 runs:
   using: 'composite'
@@ -51,6 +54,7 @@ runs:
 
         # Build
         echo "registry=$(yq eval '.build.registry' .settings.yaml)" >> $GITHUB_OUTPUT
+        echo "goreleaser=$(yq eval '.build.goreleaser' .settings.yaml)" >> $GITHUB_OUTPUT
 
         # Testing
         echo "kind_version=$(yq eval '.testing.kind_version' .settings.yaml)" >> $GITHUB_OUTPUT
@@ -68,5 +72,6 @@ runs:
         echo "  golangci_lint: ${{ steps.versions.outputs.golangci_lint }}"
         echo "  scan_severity: ${{ steps.versions.outputs.scan_severity }}"
         echo "  registry: ${{ steps.versions.outputs.registry }}"
+        echo "  goreleaser: ${{ steps.versions.outputs.goreleaser }}"
         echo "  kind_version: ${{ steps.versions.outputs.kind_version }}"
         echo "  k8s_version: ${{ steps.versions.outputs.k8s_version }}"

.github/workflows/on-tag.yaml

@@ -16,7 +16,6 @@ jobs:
   release:
     timeout-minutes: 30
     env:
-      IMAGE_NAME: node-role-controller
       DEPLOYMENT_PATCH_FILE: deployment/overlays/dev/patch-deployment.yaml
     outputs:
       image-uri: ${{ steps.image.outputs.uri }}
@@ -26,14 +25,16 @@ jobs:
       source-tag: ${{ github.ref_name }}
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       security-events: write
       id-token: write
       packages: write
       attestations: write
     steps:
 
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        fetch-depth: 0
 
     - name: Load versions
       id: versions
@@ -51,55 +52,33 @@ jobs:
     - name: Test
       run: go test -count=1 -covermode=atomic -coverprofile=coverage.out ./...
 
-    - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d  # v0.9
-    - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e  # v0.4
-    - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62  # v3.10.0
-
-    - name: Authenticate
-      run: |
-        echo ${{ secrets.GITHUB_TOKEN }} | ko login ghcr.io -u ${{ github.actor }} --password-stdin
-        echo ${{ secrets.GITHUB_TOKEN }} | crane auth login ghcr.io -u ${{ github.actor }} --password-stdin
-        echo ${{ secrets.GITHUB_TOKEN }} | cosign login ghcr.io -u ${{ github.actor }} --password-stdin
-
-    - name: Build Image
-      id: image
-      env:
-        KO_DOCKER_REPO: ${{ steps.versions.outputs.registry }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
-        KO_DEFAULTBASEIMAGE: cgr.dev/chainguard/static:latest
-      run: |
-        set -euo pipefail
-        ko build main.go \
-          --platform linux/amd64,linux/arm64 \
-          --image-refs .refs \
-          --bare \
-          --tags latest \
-          --tags ${{ github.ref_name }}
-        cat .refs
-        DIGEST="$(crane digest ${KO_DOCKER_REPO}:${{ github.ref_name }})"
-        echo "uri=${KO_DOCKER_REPO}:${{ github.ref_name }}@${DIGEST}" >> "$GITHUB_OUTPUT"
-        echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
-        echo "name=${KO_DOCKER_REPO}" >> "$GITHUB_OUTPUT"
+    - name: Install GoReleaser
+      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a  # v6.4.0
+      with:
+        install-only: true
+        version: ${{ steps.versions.outputs.goreleaser }}
 
-    - name: Attest
-      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  # v3.0.0
+    - name: Login to GHCR
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3.4.0
       with:
-        subject-name: ${{ steps.image.outputs.name }}
-        subject-digest: ${{ steps.image.outputs.digest }}
-        push-to-registry: true
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Publish Attestation
+    - name: Release
       env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        IMAGE: "${{ steps.image.outputs.name }}@${{ steps.image.outputs.digest }}"
-        BUNDLE: "${{ steps.image.outputs.digest }}.jsonl"
-        COSIGN_EXPERIMENTAL: "1"
-        ATTEST_TYPE: "https://slsa.dev/provenance/v1"
-        PREDICATE: "predicate.json"
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: make release
+
+    - name: Extract Image Metadata
+      id: image
       run: |
         set -euo pipefail
-        gh attestation download "oci://$IMAGE" -R ${{ github.repository }} --predicate-type $ATTEST_TYPE --limit 1
-        jq -r '.dsseEnvelope.payload | @base64d | fromjson | .predicate' $BUNDLE > $PREDICATE
-        cosign attest -y --type $ATTEST_TYPE --predicate $PREDICATE $IMAGE
+        IMAGE_NAME=$(jq -r '[.[] | select(.type == "Docker Manifest")] | first | .name' dist/artifacts.json)
+        DIGEST=$(jq -r '[.[] | select(.type == "Docker Manifest")] | first | .extra.Digest' dist/artifacts.json)
+        echo "uri=${IMAGE_NAME}@${DIGEST}" >> "$GITHUB_OUTPUT"
+        echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
+        echo "name=${IMAGE_NAME%%:*}" >> "$GITHUB_OUTPUT"
 
     - name: Setup KinD Cluster
       uses: chainguard-dev/actions/setup-kind@eab208ef2d05b13404296a5e194a6b237e8bb213  # v1.6.4

.goreleaser.yaml

@@ -0,0 +1,85 @@
+version: 2
+
+project_name: node-role-controller
+
+builds:
+  - id: node-role-controller
+    binary: node-role-controller
+    main: main.go
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+    ldflags:
+      - -w
+      - -s
+      - -extldflags "-static"
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+
+gomod:
+  proxy: false
+
+kos:
+  - id: node-role-controller
+    build: node-role-controller
+    repositories:
+      - ghcr.io/mchmarny/node-role-controller
+    base_image: cgr.dev/chainguard/static:latest
+    platforms:
+      - linux/amd64
+      - linux/arm64
+    tags:
+      - latest
+      - "{{.Tag}}"
+    preserve_import_paths: false
+    bare: true
+
+sboms:
+  - artifacts: binary
+
+checksum:
+  name_template: "{{ .ProjectName }}_checksums.txt"
+  algorithm: sha256
+
+snapshot:
+  version_template: "{{ .Tag }}-next"
+
+report_sizes: true
+
+metadata:
+  mod_timestamp: "{{ .CommitTimestamp }}"
+
+release:
+  github:
+    owner: mchmarny
+    name: rolesetter
+  draft: false
+
+changelog:
+  sort: asc
+  use: github
+  filters:
+    exclude:
+      - "^build:"
+      - "^docs:"
+      - "^test:"
+      - "^lint:"
+      - "^chore: readme"
+      - "^chore: bump version"
+  groups:
+    - title: Features
+      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
+      order: 0
+    - title: Tasks
+      regexp: '^.*?chore(\([[:word:]]+\))??!?:.+$'
+      order: 1
+    - title: Bug fixes
+      regexp: '^.*?(fix|bug)(\([[:word:]]+\))??!?:.+$'
+      order: 2
+    - title: Others
+      order: 999

.settings.yaml

@@ -17,6 +17,7 @@ linting:
 # Build Configuration
 build:
   registry: 'ghcr.io'
+  goreleaser: 'v2.14.1'
 
 # Testing Configuration
 testing:

Makefile

@@ -16,7 +16,7 @@ GO_ENV := \
 	GO111MODULE=$(GO111MODULE) \
 	CGO_ENABLED=$(CGO_ENABLED)
 
-.PHONY: all build lint clean test help tidy upgrade tag pre helm-lint helm-publish
+.PHONY: all build lint clean test help tidy upgrade tag pre helm-lint helm-publish release build-snapshot
 
 all: help
 
@@ -25,6 +25,12 @@ pre: tidy lint test vet helm-lint ## Run all quality checks
 build: ## Build the Go binary locally
 	$(GO_ENV) go build -v -o bin/$(APP_NAME) main.go
 
+release: ## Run GoReleaser release
+	goreleaser release --clean --fail-fast --timeout 30m
+
+build-snapshot: ## Run GoReleaser snapshot build (local dev)
+	goreleaser build --clean --single-target --snapshot
+
 clean: ## Clean the build artifacts
 	$(GO_ENV) go clean -x; \
 	rm -f bin/$(APP_NAME)